b'National Aeronautics and\nSpace Administration\n\nOffice of Inspector General\nWashington, DC 20546-0001\n                                                  February 28, 2008\n\nTO:                 Chief Information Officer\n\nFROM:               Assistant Inspector General for Auditing\n\nSUBJECT:            Final Memorandum on Audit of Retention of NASA\xe2\x80\x99s Official Electronic\n                    Mail (Report No. IG-08-010; Assignment No. A-07-007-00)\n\n\nThe Office of Inspector General (OIG) conducted an audit of NASA\xe2\x80\x99s retention of\nofficial electronic mail (e-mail). Our overall objective was to determine whether NASA\nwas effectively and efficiently managing its official e-mail records in accordance with\napplicable statutory and regulatory requirements. Specifically, we determined whether\nNASA had (1) established and implemented adequate policies and procedures to ensure\nthat e-mail users identified, designated, stored, and retained official e-mail\ncommunication in accordance with National Archives and Records Administration\n(NARA) regulations and (2) developed and implemented training to ensure that all\nAgency e-mail users were aware of and understood the process by which to identify,\ndesignate, store, and retain official e-mail communication in accordance with NARA\nregulations and NASA\xe2\x80\x99s requirements. We also reviewed internal controls as they\nrelated to the overall objective. (See Enclosure 1 for details on the audit\xe2\x80\x99s scope and\nmethodology.)\n\nExecutive Summary\nWe found that NASA was not effectively and efficiently managing its official e-mail\nrecords in accordance with applicable statutory and regulatory requirements. Although\nNASA had established records management 1 policies and procedures in accordance with\nNARA regulations, NASA\xe2\x80\x99s e-mail retention guidance does not adequately address\nNARA\xe2\x80\x99s requirements for electronic records 2 management. As of January 2008, NASA\n\n1\n    NARA Title 36, Code of Federal Regulations (C.F.R.), Part 1220, \xe2\x80\x9cFederal Records; General,\xe2\x80\x9d\n    Section 1220.14, \xe2\x80\x9cGeneral Definitions,\xe2\x80\x9d defines records management as the planning, controlling,\n    directing, organizing, training, promoting, and other managerial activities involved with respect to records\n    creation, records maintenance and use, and records disposition in order to achieve adequate and proper\n    documentation of the policies and transactions of the Federal Government and effective and economical\n    management of agency operations.\n2\n    NARA 36 C.F.R., Part 1234, \xe2\x80\x9cElectronic Records Management,\xe2\x80\x9d Section 1234.2, \xe2\x80\x9cDefinitions,\xe2\x80\x9d defines\n    electronic records as any information that is recorded in a form that only a computer can process and that\n    satisfies the definition of a Federal record. NARA 36 C.F.R., Part 1220, Section 1220.14 defines records\n    to include all books, papers, maps, photographs, machine readable materials, or other documentary\n    materials, regardless of physical form or characteristics, made or received by an agency of the\n    U.S. Government under Federal law or in connection with the transaction of public business and\n    preserved or appropriate for preservation by that agency or its legitimate successor as evidence of the\n    organization, functions, policies, decisions, procedures, operations, or other activities of the Government\n    or because of the informational value of the data in them.\n\x0c                                                                                                         2\n\n\n\npersonnel continued to operate under Chief Information Officer (CIO) Executive\nNotice 12-96, \xe2\x80\x9cNASA Electronic Mail,\xe2\x80\x9d which was issued in February 1996 and\nmodified once in February 2000. Updated guidance was needed to replace the Executive\nNotice, which lacks details on the retention of official e-mail correspondence and cites\nNASA policies that no longer exist.\n\nThe responses to our survey questionnaires, 3 which were designed to verify compliance\nwith regulations and requirements, also showed that NASA was not managing its official\ne-mail records in accordance with applicable statutory and regulatory requirements. Of\nthe 40 senior management officials surveyed, 37 (92.5 percent) were noncompliant with\nregulations and requirements to identify, designate, store, and retain official e-mail\ncorrespondence. The responses also showed that NASA was not performing reviews in\naccordance with NARA regulations and NASA\xe2\x80\x99s requirements, and none of the\ndocumented reviews specifically addressed electronic records management. Electronic\nrecords management reviews can better ensure that Agency personnel are identifying and\nretaining official e-mail correspondence as required by NARA regulations and NASA\xe2\x80\x99s\nrequirements.\n\nNASA\xe2\x80\x99s noncompliance with NARA regulations and NASA\xe2\x80\x99s requirements for records\nmanagement increases the risk of permanent loss of (1) institutional memory, (2) records\ncontaining essential transactions that protect the legal and financial rights of the\nGovernment and persons directly affected by NASA activities, and (3) records permitting\nNASA to be responsive to Congress and oversight agencies.\n\nNASA, in an effort to more efficiently and effectively manage its official e-mail\ncorrespondence, developed comprehensive electronic records management guidance and\nAgency-wide electronic records management training. The guidance was approved\nFebruary 4, 2008, and NASA implemented the training in February 2008. Also, in\nNovember 2007, NASA began migrating existing e-mail server environments to a single\nAgency-wide e-mail system called NASA Operational Messaging and\nDirectory (NOMAD) to manage its multiple e-mail server environments. NASA expects\nthat the migration will be completed by the end of the second quarter of calendar\nyear 2008 and that NOMAD will be fully operational by the end of fiscal year 2008.\n\nNOMAD, once fully operational, will serve as NASA\xe2\x80\x99s e-mail system. NOMAD will\nalso serve as the interface with, initially, an e-mail archiving capability and, later, with a\nrecords management application. As an interim measure until NOMAD becomes fully\noperational, NASA identified and began capturing all e-mail correspondence of 146 \xe2\x80\x9cTop\nManagement Officials\xe2\x80\x9d for permanent retention. NASA defined Top Management\nOfficials as heads of any organizational level that has been delegated the responsibility of\nserving as \xe2\x80\x9coffice of record\xe2\x80\x9d or \xe2\x80\x9cOffice of Primary Responsibility.\xe2\x80\x9d The interim\nmeasure, while meeting NASA\xe2\x80\x99s retention schedule requirements for Top Management\n\n3\n    Two different surveys were conducted. See Enclosure 3 for the questionnaire used for Senior\n    Management Officials and Enclosure 4 for the questionnaire used for the Records Officer and Center\n    Records Managers.\n\x0c                                                                                          3\n\n\n\nOfficials, does not fully comply with NARA\xe2\x80\x99s electronic recordkeeping regulations for\nelectronic records retention. All Center e-mail systems will be integrated into NOMAD\nby the end of the second quarter of calendar year 2008, and senior management\xe2\x80\x99s e-mail\nmessages will be archived beginning the third quarter of calendar year 2008.\n\nOur January 18, 2008, draft of this memorandum recommended that the Office of the\nCIO finalize and issue the revision to NASA Procedural Requirements (NPR) 1441.1D,\n\xe2\x80\x9cNASA Records Retention Schedules (w/Change 3, 1/31/06).\xe2\x80\x9d The draft NPR revision\nprovides specific guidance for electronic records management. Once revised, NASA\nshould rescind CIO Executive Notice 12-96. Also, we recommended that the NASA CIO\nimplement mandatory electronic records management training; reinforce the\nidentification, retention, and archiving requirement of official electronic\nrecords (including e-mail); and monitor electronic records management reviews to ensure\nthey are performed as required by NARA and NASA.\n\nNASA management\xe2\x80\x99s comments on the draft of this memorandum are responsive (see\nEnclosure 5). We have closed two recommendations and will close the other two upon\ncompletion and verification of management\xe2\x80\x99s corrective action.\n\nBackground\nUnder the National Archives and Records Administration Act of 1984, NARA is\nresponsible for ensuring the adequacy of documentation and records disposition, and\nFederal agencies are responsible for ensuring that records management programs comply\nwith NARA regulations. Specifically, NARA 36 C.F.R., Section 1234.10, \xe2\x80\x9cAgency\nResponsibilities,\xe2\x80\x9d requires agencies to develop and implement an agency-wide program\nfor the management of all records created, received, maintained, used, or stored on\nelectronic media. NARA requires agencies to establish procedures for records\nmanagement, provide adequate training, and perform reviews to ensure conformance to\nestablished agency procedures, standards, and policies.\n\nNARA 36 C.F.R., Section 1234.24, \xe2\x80\x9cStandards for Managing Electronic Mail Records,\xe2\x80\x9d\nstates that agencies must not use a recordkeeping system that includes e-mail messages\nunless that system (1) provides for the grouping of related records, (2) permits easy and\ntimely retrieval of both individual records and files, (3) retains the records in a usable\nformat for the required retention period, (4) is accessible by individuals who have a\nbusiness need, (5) preserves the transmission and receipt data, and (6) permits transfer of\npermanent records to NARA. If the e-mail system is not designed to be a recordkeeping\nsystem, agencies must instruct staff on how to copy Federal records from the e-mail\nsystem to a recordkeeping system. NARA regulations require agencies that maintain\npaper files as their recordkeeping system to print their e-mail records and the related\ntransmission and receipt data.\n\nNASA Policy Directive (NPD) 1440.6G, \xe2\x80\x9cNASA Records Management,\xe2\x80\x9d December 12,\n2002, and NPR 1441.1D implement the NARA regulations. NPD 1440.6G mandates that\nNASA management implement adequate training, processes, and controls to properly\n\x0c                                                                                                        4\n\n\n\npreserve official Agency records regardless of format or media (including e-mail\ncorrespondence) and to protect the trustworthiness of electronic records. NPR 1441.1D\nsets forth the guidelines and retention schedules for Federal records based on the record\ncategory 4 and the position of the employee creating the record. Section I.7 of the NPR,\n\xe2\x80\x9cElectronic Records,\xe2\x80\x9d includes the following:\n           a. Electronic records are electronically recorded data (including e-mail), or paper\n           records converted, that meet both of the following conditions are Federal records and\n           must be scheduled and cared for appropriately:\n\n               (1) They are made or received by NASA under Federal law or in connection\n               with the transaction of public business; and,\n               (2) They are preserved or appropriate for preservation as evidence of\n               NASA\xe2\x80\x99s activities or because of the value of the information they contain.\n               The same policies and procedures that apply to other record mediums also\n               apply to electronic records with a few exceptions. These exceptions are\n               based on the need to have information about the system, the media being\n               used, and the data being acquired.\n\nBecause NASA does not have an official electronic recordkeeping system, NASA\nrequires identifying, printing, and filing of official e-mail correspondence in accordance\nwith NARA\xe2\x80\x99s recordkeeping regulations for paper files. NASA\xe2\x80\x99s CIO Executive\nNotice 12-96, which was modified in February 2000 and was in effect as of January\n2008, provides guidance specific to official e-mail correspondence, stating that e-mail\nshould not be used for official business. The Executive Notice also states, however, that\nshould official business be transacted using this system (e-mail), hardcopy documents of\nthe e-mail messages must be produced, filed, maintained, and disposed of in accordance\nwith appropriate records management guidance. In addition, the Executive Notice states\nthat e-mail systems are not storage systems.\n\nNASA Had Not Finalized Comprehensive Guidance for Electronic\n Records Management\nNASA had established records management policies and procedures in accordance with\nNARA regulations; however, NASA\xe2\x80\x99s e-mail retention guidance, Executive\nNotice 12-96, lacks details on the retention of official e-mail correspondence and cites\nNASA policies that no longer exist. For example, the Executive Notice requires\nhardcopy retention of e-mail messages \xe2\x80\x9c[s]hould official business be transacted using this\nsystem,\xe2\x80\x9d but does not provide any guidance on how to identify e-mail messages as\nofficial documents requiring retention. In addition, the Executive Notice cites NASA\nHandbook 1441.1B, which NPR 1441.1D has replaced, and refers to outdated retention\nschedules.\n\n\n4\n    The NASA Records Retention Schedules are divided into 10 subject categories, such as Organizational\n    and Administrative, Legal and Technical, and Human Resources \xe2\x80\x93 Personnel, and correlate to the Agency\n    Filing Scheme.\n\x0c                                                                                                        5\n\n\n\nNASA had developed comprehensive, updated guidance but as of January 2008 had not\nfinalized that guidance. Specifically, the draft revision to NPR 1441.1D, Section I.7,\nprovides guidance on the retention of electronic records, to include e-mail, that would\nhelp ensure that employees understand and comply with NARA regulations for electronic\nrecords management. Once the revised NPR is issued, NASA should rescind Executive\nNotice 12-96.\n\nNARA 36 C.F.R., Section 1234.24 requires agencies to develop procedures for the\nmaintenance of e-mail records in appropriate recordkeeping systems. NPR 1441.1D,\nSection I.7e lacks electronic records management guidance and states that \xe2\x80\x9c[m]ore\nspecific policy, procedures, and guidelines for identifying and managing electronic\nrecords are under development by the Office of the NASA Chief Information Officer.\xe2\x80\x9d\nThat statement has been in NPR 1441.1D since it was initially issued in February 2003.\nTo resolve the need for specific electronic records management guidance, the Agency\nRecords and Privacy Act Officer (NASA\xe2\x80\x99s Records Officer) developed electronic records\nmanagement guidance for NPR 1441.1D, Section I.7. However, as of January 2008, that\nguidance still needed to be submitted to the NASA CIO for review, approval, and\ninclusion in the NPR.\n\nNASA Personnel Do Not Always Understand and Comply with Federal and\n NASA Regulations\nTo verify senior management\xe2\x80\x99s understanding and compliance with NARA regulations\nand NASA\xe2\x80\x99s requirements for the identification and retention of official e-mail\ncorrespondence, as set forth in Executive Notice 12-96, we surveyed NASA\xe2\x80\x99s senior\nmanagement officials (Administrator, Associate and Assistant Administrators, Center\nDirectors and Deputy Directors, and Mission and Program Directors and their Deputies).\nAfter identifying the officials from NASA Headquarters (HQ), Johnson Space\nCenter (JSC), and Ames Research Center (ARC), we non-statistically selected, by\nlocation, 25 percent of the total. 5 A total of 40 senior management officials were chosen\nand provided a questionnaire for completion (see Enclosure 3). We obtained a\n100 percent response for the questionnaire.\n\nBased on questionnaire responses and subsequent interviews, we found that 18 senior\nmanagement officials (45 percent of those surveyed) were not aware of their\nresponsibilities, were uncertain whether they were required to retain their e-mail, or were\nuncertain of how they were to retain e-mail. Because each employee is responsible for\ndetermining whether materials, including e-mail correspondence, are an official record\nrequiring retention, NASA needs to ensure that current and adequate guidance exists for\nemployees to make informed e-mail records management decisions and to reduce\nNASA\xe2\x80\x99s risk of losing institutional memory, documentation of essential transactions, or\nrecords that support NASA decisions.\n\n5\n    NASA audit liaison representatives at the three locations identified 157 NASA personnel as senior\n    management officials (70 from HQ, 59 from JSC, and 28 from ARC).\n\x0c                                                                                                              6\n\n\n\nNASA\xe2\x80\x99s Retention of Official E-Mail Correspondence Needs Improvement\nNASA had not ensured that senior management officials were identifying, designating,\nstoring, and retaining official e-mail correspondence in accordance with NARA\nregulations and NASA\xe2\x80\x99s records management requirements. NARA 36 C.F.R.,\nSection 1234.24 identifies specific criteria that must be in place for an electronic\nrecordkeeping system to be used as an official recordkeeping system and states that\nagencies must not use an e-mail system to store Federal records unless the system meets\nthe specific criteria. If e-mail systems do not meet the specified criteria, agencies can\ncopy e-mail correspondence to a system that does or print relevant e-mail correspondence\nfor retention with their paper files. Because NASA does not have an official electronic\nrecordkeeping system, NASA\xe2\x80\x99s CIO Executive Notice 12-96 states that if e-mail\ncorrespondence is used as an official document, it must be printed, filed, maintained, and\ndisposed of in accordance with appropriate records management guidance.\n\nOf the 40 senior management officials surveyed, 3 (7.5 percent) were complying with\nNARA regulations and NASA\xe2\x80\x99s records management requirements by printing and\nretaining official e-mail correspondence. The remaining 37 (92.5 percent) did not\ncomply. Those officials stated that e-mail was not official correspondence (5, or\n12.5 percent), that they did not retain any e-mail (14, or 35 percent), or that they retained\nofficial e-mail electronically on local hard drives or network servers (18, or 45 percent).\n\nNPR 1441.1D, Schedule 1, Item 22, states that records of high-level officials or, more\nspecifically, records of the \xe2\x80\x9cOffice of the Administrator, Deputy, Associate\nAdministrator, Assistant Administrator, Center Director, or equivalent management\nlevels . . . reflecting policy, studies, and analyses and program development, including\ncorrespondence and informal notes between NASA officials; with private sources,\nforeign governments, and other U.S. Government agencies\xe2\x80\x9d are permanent records. 6\nItem 22 also states that records of Division offices and lower can be destroyed or deleted\nwhen 2 years old and that \xe2\x80\x9c[r]outine materials containing NO substantive information\nregarding the daily activities of other than high level officials\xe2\x80\x9d can be destroyed or\ndeleted when no longer needed. All five of the senior management officials who stated\nthat their e-mail was not official correspondence are classified as either Top Management\nor Division-level Officials, thus requiring retention of their e-mail correspondence for at\nleast 2 years. In fact, one of the five officials had already been identified by NASA as a\nTop Management Official for permanent e-mail retention, and according to NASA\xe2\x80\x99s\nRecords Officer, the remaining four senior management officials would fall into the\n2-year retention period, based on their role or support function.\n\nUnless all of NASA\xe2\x80\x99s senior management officials comply with records retention\nrequirements to identify and retain official e-mail correspondence, NASA may lose or\n\n\n\n6\n    Permanent records may be retired to a Federal Records Center, or an approved facility, when 5 years old\n    and then transferred to NARA when 10 years old.\n\x0c                                                                                                         7\n\n\n\nmay have lost records containing essential transactions that protect the legal and financial\nrights of the Government and persons directly affected by NASA activities.\n\nNASA\xe2\x80\x99s Records Management Training Needed to Be Implemented\nNASA had not implemented Agency-wide electronic records management training, or\nreminded all employees annually, to ensure that all e-mail users were aware of records\nmanagement requirements and understood the process of identifying, designating,\nstoring, and retaining official e-mail correspondence. NARA 36 C.F.R., Part 1222,\n\xe2\x80\x9cCreation and Maintenance of Federal Records,\xe2\x80\x9d Section 1222.20, \xe2\x80\x9cAgency\nResponsibilities,\xe2\x80\x9d requires that adequate training be provided to all agency personnel on\npolicies, responsibilities, and techniques for the implementation of recordkeeping\nrequirements and the distinction between records and nonrecord materials, regardless of\nmedia, including those materials created by individuals using computers to send or\nreceive electronic mail. In addition, each Federal agency is required to remind all\nemployees annually of the agency\xe2\x80\x99s recordkeeping policies and of the sanctions provided\nfor unlawful removal or destruction of Federal records. Similarly, NPD 1440.6G\nmandates the implementation of adequate training to properly preserve official Agency\nrecords in accordance with applicable statutory and regulatory requirements and requires\nNASA\xe2\x80\x99s Records Officer to provide records management training to Agency personnel.\n\nDuring our audit, NASA\xe2\x80\x99s Records Officer stated that NASA does not have Agency-wide\nelectronic records management training, and our survey of the Records Officer and\nCenter Records Manager identified that only 3 of the 13 Center Records Managers 7\nmaintained documentation to support the performance of Center-based electronic records\nmanagement training. In addition, of the 40 senior management officials surveyed,\n37 (92.5 percent) stated that they had not received records management training. Aside\nfrom the newly implemented retention of Top Management Officials\xe2\x80\x99 e-mail, NASA\nrelies on Agency personnel to identify official e-mail correspondence for retention and,\ntherefore, electronic records management training is critical to ensure that Agency\npersonnel can identify official e-mail correspondence and take the proper steps to avoid\nthe risk of permanent loss of NASA\xe2\x80\x99s institutional memory and decision-making record.\n\nNASA\xe2\x80\x99s Records Officer provided us with proposed electronic records management\ntraining modules in August 2007. NASA planned to implement the training through the\nSystem for Administration, Training, and Educational Resources for NASA (SATERN) 8\nin February 2008. The training includes electronic records management modules that\nwill address NARA regulations for electronic records management, to include e-mail\nretention.\n\n\n\n7\n    We surveyed NASA\xe2\x80\x99s Records Officer and 13 Records Managers at 11 Centers (including HQ, where we\n    surveyed 2 Records Managers, as we also did at the Jet Propulsion Laboratory).\n8\n    SATERN is a software application used by NASA to manage the learning activities and efforts of its\n    personnel.\n\x0c                                                                                         8\n\n\n\nNASA\xe2\x80\x99s Records Management Reviews Are Not Always Performed\nNASA\xe2\x80\x99s Records Officer and Center Records Managers did not consistently perform\nrecords management reviews to ensure compliance with NARA regulations and NASA\xe2\x80\x99s\nrequirements. NARA 36 C.F.R., Section 1220.42, \xe2\x80\x9cAgency Internal Evaluations,\xe2\x80\x9d\nrequires agencies to periodically evaluate its records management programs relating to\nrecords creation and recordkeeping requirements, maintenance and use of records, and\nrecords disposition. NARA states that the evaluations should include periodic monitoring\nof staff determinations of the record status of documentary materials in all media and the\nimplementation of these determinations. In addition, NARA 36 C.F.R., Section 1234.10\nrequires agencies to perform reviews to ensure compliance with established agency\nprocedures, standards, and policies for electronic records management. NPD 1440.6G\nmandates that NASA\xe2\x80\x99s Records Officer perform records management reviews to\ndetermine whether needed documentation is being created and maintained. The NPD\nalso requires that Center Records Managers perform reviews to ensure that permanent\nand official records throughout the Agency are selected, identified, and protected. In\naddition, the NPD calls for Center Records Managers to report annually to the CIO any\ndiscrepancies that indicate records were not protected, preserved, and maintained in\ncompliance with current regulations. We found that NASA\xe2\x80\x99s Records Officer and Center\nRecords Managers were not performing the reviews in accordance with NARA\nregulations and NASA\xe2\x80\x99s requirements.\n\nWhile conducting our survey of NASA\xe2\x80\x99s Records Officer and the 13 Center Records\nManagers, we requested documentation supporting records management reviews and\nself-assessments performed between January 1, 2005, and December 31, 2006.\nOnly 3 (21 percent) of the 14 9 could provide documentation supporting records\nmanagement reviews. However, none of those documented reviews specifically\naddressed electronic records management. Electronic records management reviews can\nbetter ensure that Agency personnel are identifying and retaining official e-mail\ncorrespondence as required by NARA regulations and NASA\xe2\x80\x99s requirements.\n\nNASA\xe2\x80\x99s noncompliance with electronic records management regulations and\nrequirements increases the risk of permanent loss of (1) institutional memory, (2) records\ncontaining essential transactions that protect the legal and financial rights of the\nGovernment and persons directly affected by NASA activities, and (3) records permitting\nNASA to be responsive to Congress and oversight agencies.\n\nAgency Migrating to an Electronic Recordkeeping System\nAlthough an electronic recordkeeping system is not required for maintaining records,\nNASA, in an effort to improve e-mail recordkeeping efficiency and effectiveness, began\nmigrating existing e-mail server environments to a single Agency-wide e-mail system\ncalled NOMAD in November 2007. Because NOMAD, by itself, will not meet NARA\n\n9\n    NASA\xe2\x80\x99s Records Officer and 13 Center Records Managers.\n\x0c                                                                                        9\n\n\n\nregulations for an electronic recordkeeping system, NOMAD will interface with\nsoftware, not yet procured, that meets the Department of Defense (DoD) 5015.02-STD,\n\xe2\x80\x9cElectronic Records Management Software Applications Design Criteria Standard,\xe2\x80\x9d\nApril 25, 2007, which NARA endorses as the standard for an electronic recordkeeping\nsystem. NASA expects that NOMAD and the interfacing software will be fully\noperational by the end of fiscal year 2008. Once fully implemented, it will archive\nelectronic messages of all senior managers who generate permanently valued messages,\npermitting easy search and retrieval for discovery purposes, as well as enabling easy\ncapture for their transfer to NARA.\n\nIn the interim, NASA identified and began capturing all e-mail correspondence of\n146 Top Management Officials. Although this approach does not comply with NARA\nregulations for electronic recordkeeping, it does provide for the permanent retention of\nNASA senior management officials\xe2\x80\x99 e-mail correspondence until NOMAD becomes fully\noperational. Although NASA\xe2\x80\x99s actions (NOMAD and the permanent retention of Top\nManagement Officials\xe2\x80\x99 e-mail correspondence) will substantially reduce the risk of\ninadvertent loss of official e-mail correspondence, NASA must take additional corrective\nactions to ensure that Agency personnel comply with NARA regulations and NASA\xe2\x80\x99s\nrequirements.\n\nRecommendations, Management\xe2\x80\x99s Response, and Evaluation of\n Management\xe2\x80\x99s Response\nRecommendation 1. The NASA Chief Information Officer should finalize and issue\nrevised guidance\xe2\x80\x94specifically, revisions to NPR 1441.1D, Section I.7\xe2\x80\x94for identifying\nand managing electronic records regardless of the retention environment and format\n(hardcopy or electronic) and rescind CIO Executive Notice 12-96.\n\n   Management\xe2\x80\x99s Response. The NASA CIO concurred, stating that updated\n   procedural requirements for electronic records management have been incorporated,\n   by Change 4, into NPR 1441.1D, Section I.7. Included in Change 4 is the revision to\n   the NASA Records Retention Schedules, Item 22, which includes e-mail records, and\n   was approved by the Archivist of the United States on November 8, 2007.\n\n   The finalized, updated NPR was submitted to the NASA Directives Officer on\n   February 4, 2008, for uploading into the NASA Online Directives Information\n   System (NODIS). Once uploaded, the NASA CIO will issue a memorandum to\n   Center Directors and Headquarters Officials-in-Charge canceling CIO Executive\n   Notice 12-06.\n\n   Evaluation of Management\xe2\x80\x99s Response. Management\xe2\x80\x99s planned actions are\n   responsive. The recommendation is resolved and will be closed upon completion and\n   verification of management\xe2\x80\x99s corrective action.\n\x0c                                                                                           10\n\n\n\nRecommendation 2. The NASA Chief Information Officer should implement\nmandatory electronic records management training.\n\n   Management\xe2\x80\x99s Response. The NASA CIO concurred, stating that the Office of the\n   CIO had developed and implemented training. As of February 4, 2008, the SATERN\n   training module, \xe2\x80\x9cNASA Records Management for Everyone,\xe2\x80\x9d is required for all\n   NASA civil service employees and highly recommended for contractors who perform\n   or support NASA functions. The mandatory module provides an overview of records\n   identification and management requirements, including e-mail records, and provides\n   references to more in-depth instruction. Five additional modules are available in\n   SATERN, and four more are expected to be made available over the next several\n   months.\n\n   Evaluation of Management\xe2\x80\x99s Response. Management\xe2\x80\x99s planned actions are\n   responsive. The recommendation is resolved and closed.\n\nRecommendation 3. The NASA Chief Information Officer should reinforce the\nidentification, retention, and archiving of official electronic records (e-mail) regardless of\nthe retention environment and format (hardcopy or electronic) in accordance with NARA\nregulations and NASA\xe2\x80\x99s requirements.\n\n   Management\xe2\x80\x99s Response. The NASA CIO concurred. To reinforce employees\xe2\x80\x99\n   understanding of the requirements for identifying, retaining, and archiving official\n   records, regardless of format, the NASA CIO sent an e-mail message to all NASA\n   employees on January 24, 2008, reminding them of their general records management\n   responsibility, specifically with regard to e-mail records. Further, beginning January\n   2009, the Office of the CIO will provide annual reminders to Agency personnel of\n   their responsibilities to comply with Federal regulations and NASA policy and\n   requirements.\n\n   Evaluation of Management\xe2\x80\x99s Response. Management\xe2\x80\x99s planned actions are\n   responsive. The recommendation is resolved and closed.\n\nRecommendation 4. The NASA Chief Information Officer should monitor electronic\nrecords management reviews to ensure they are performed as required.\n\n   Management\xe2\x80\x99s Response. The NASA CIO concurred, stating that the Office of the\n   CIO will develop a records management review plan by June 30, 2008, that sets forth\n   a multi-pronged strategy for conducting periodic Center and Agency-wide reviews of\n   records management compliance.\n\n   Evaluation of Management\xe2\x80\x99s Response. Management\xe2\x80\x99s comments are responsive.\n   The recommendation is resolved and will be closed upon completion of the records\n   management review plan and our verification of management\xe2\x80\x99s corrective action.\n\x0c                                                                                       11\n\n\n\nWe appreciate the courtesies extended to our staff during the audit. If you have any\nquestions, or need additional information, please contact Ms. Wen Song, Information\nTechnology Director, Office of Audits, at 202-358-2588.\n\n\n   signed\nEvelyn R. Klemstine\n\n5 Enclosures\n\ncc:\nAgency Records and Privacy Act Officer\nDirector, Ames Research Center\nDirector, Dryden Flight Research Center\nDirector, John H. Glenn Research Center at Lewis Field\nDirector, Goddard Space Flight Center\nDirector, Jet Propulsion Laboratory\nDirector, Lyndon B. Johnson Space Center\nDirector, John F. Kennedy Space Center\nDirector, Langley Research Center\nDirector, George C. Marshall Space Flight Center\nDirector, John C. Stennis Space Center\nCIO, Ames Research Center\nCIO, Dryden Flight Research Center\nCIO, John H. Glenn Research Center at Lewis Field\nCIO, Goddard Space Flight Center\nCIO, Headquarters\nCIO, Jet Propulsion Laboratory\nCIO, Lyndon B. Johnson Space Center\nCIO, John F. Kennedy Space Center\nCIO, Langley Research Center\nCIO, George C. Marshall Space Flight Center\nDeputy CIO, George C. Marshall Space Flight Center\nCIO, John C. Stennis Space Center\n\x0c                              Scope and Methodology\nWe performed this audit from July 2007 through January 2008 in accordance with\ngenerally accepted government auditing standards. Those standards require that we plan\nand perform the audit to obtain sufficient, appropriate evidence to provide a reasonable\nbasis for our findings and conclusions based on our audit objectives. We believe that the\nevidence obtained provides a reasonable basis for our findings and conclusions based on\nour audit objectives.\n\nWe completed the following steps in conducting our audit of NASA\xe2\x80\x99s retention of\nofficial e-mail:\n\n   \xe2\x80\xa2   Identified and reviewed the NARA regulations and NASA\xe2\x80\x99s requirements (see\n       Enclosure 2).\n\n   \xe2\x80\xa2   Developed a questionnaire to survey selected senior management officials (see\n       Enclosure 3) to determine their\n           o awareness of NASA requirements for electronic records management\n             specifically the identification and retention of official e-mail;\n           o compliance with electronic records requirements;\n           o rationale for noncompliance in the event they were not complying with\n             regulations; and\n           o training received on electronic records management and specifically\n             official e-mail records.\n\n   \xe2\x80\xa2   Obtained Center-provided listings of senior management officials at HQ, JSC, and\n       ARC to ensure accurate distribution of survey questionnaire.\n\n   \xe2\x80\xa2   Verified the senior management officials\xe2\x80\x99 listings for accuracy and completeness.\n\n   \xe2\x80\xa2   Non-statistically selected, by location, 25 percent of the total using E-Z Quant\xe2\x80\x99s\n       random number generator to identify the distribution for our senior management\n       questionnaire.\n\n   \xe2\x80\xa2   Distributed the survey questionnaire to senior management officials: 18 at HQ,\n       15 at JSC, and 7 at ARC. We obtained a 100 percent response.\n\n   \xe2\x80\xa2   Analyzed the senior management questionnaire responses and conducted\n       interviews with selected senior management officials to validate responses and\n       determine compliance with NARA regulations and NASA\xe2\x80\x99s requirements.\n\n   \xe2\x80\xa2   Developed a survey questionnaire for Center Records Managers (see Enclosure 4)\n       to evaluate their\n           o requirements for storage/retention of official e-mail;\n\n                                                                               Enclosure 1\n                                                                               Page 1 of 2\n\x0c           o verification of compliance with policy;\n           o compliance in performing records management reviews;\n           o definition of an electronic recordkeeping system(s) for retention of official\n             e-mail;\n           o training received on NARA regulations and NASA\xe2\x80\x99s requirements for\n             electronic records management;\n           o requirements for and provision of training to Agency personnel on\n             electronic records management; and\n           o requirements for transferring electronic records to NARA.\n\n   \xe2\x80\xa2   Distributed the survey questionnaire to 14 Records Managers: 1 to NASA\xe2\x80\x99s\n       Records Officer at HQ and the remaining 13 to Records Managers at NASA\xe2\x80\x99s\n       11 Centers. We obtained a 100 percent response.\n\n   \xe2\x80\xa2   Analyzed the Center Records Manager questionnaire responses, verifying\n       compliance with NARA regulations and NASA\xe2\x80\x99s requirements.\n\n   \xe2\x80\xa2   Requested from all NASA Centers documentation to support records management\n       reviews and/or self-assessments performed between January 1, 2005, and\n       December 31, 2006.\n\nComputer-Processed Data. We relied on computer-processed data for this audit. We\nobtained from the audit liaison representatives at HQ, JSC, and ARC listings of persons\nidentified as senior management officials at each location. We performed limited testing\nto validate the reliability and integrity of the listings by comparing the listings provided\nagainst recent phone listings, organizational charts, and e-mail groups identified as senior\nstaff. Based on this limited testing, we placed reliance on the listings of senior\nmanagement officials to be complete.\n\nReview of Internal Controls. We reviewed internal controls for NASA\xe2\x80\x99s\nactivities relating to official e-mail retention policy, training, and reviews. We\nidentified weaknesses in NASA requirements, training, and records\nmanagement reviews as discussed in this memorandum.\n\nPrior Coverage. No prior coverage of the retention and storage of e-mail was identified.\n\n\n\n\n                                                                                 Enclosure 1\n                                                                                 Page 2 of 2\n\x0c                         Federal and NASA Regulations\nWe used the following Federal and NASA regulations to conduct our audit.\n\nNARA 36 C.F.R., \xe2\x80\x9cRecords Management\xe2\x80\x9d (July 1, 2006, Edition)\n\n   \xe2\x80\xa2   Part 1220, \xe2\x80\x9cFederal Records; General\xe2\x80\x9d\n\n   \xe2\x80\xa2   Part 1222, \xe2\x80\x9cCreation and Maintenance of Federal Records\xe2\x80\x9d\n\n   \xe2\x80\xa2   Part 1228, \xe2\x80\x9cDisposition of Federal Records\xe2\x80\x9d\n\n   \xe2\x80\xa2   Part 1234, \xe2\x80\x9cElectronic Records Management\xe2\x80\x9d\n\nDoD 5015.02-STD, \xe2\x80\x9cElectronic Records Management Software Applications Design\nCriteria Standard,\xe2\x80\x9d April 25, 2007\n\nNPD 1440.6G, \xe2\x80\x9cNASA Records Management,\xe2\x80\x9d December 12, 2002\n\nNPR 1441.1D, \xe2\x80\x9cNASA Records Retention Schedules (w/Change 3, 1/31/06)\xe2\x80\x9d\n\nCIO Executive Notice 12-9, \xe2\x80\x9cNASA Electronic Mail,\xe2\x80\x9d February 20, 1996\n\nWe also reviewed the draft revision to NPR 1441.1D, Section I.7, and the training\ndeveloped by the NASA Records Officer.\n\n\n\n\n                                                                             Enclosure 2\n                                                                             Page 1 of 1\n\x0c                  Senior Management Official Questionnaire\nThe NASA Office of Inspector General (OIG) is performing an audit of the retention of\nNASA\xe2\x80\x99s official electronic mail (e-mail) by NASA employees. As part of this audit, we\nsampled NASA senior staff with active NASA e-mail accounts to complete our\nquestionnaire regarding their retention of official e-mail. You were selected as part of the\nsurvey sample and are requested to respond to the questions and return your responses to\nyour Center\xe2\x80\x99s Audit Liaison Representative (ALR) within a week of receipt of the\nquestionnaire. At a later date we will schedule a meeting with you to validate your\nresponses to the questionnaire. Any questions or concerns you have regarding the survey\nor the questions should be directed to NASA OIG Project Manager, Mr. Mario Carbone\nat mario.m.carbone@nasa.gov, or 281-483-9572, or Project Lead, Mr. Bret Skalsky at\nbret.skalsky@nasa.gov, or 281-244-1156.\n\nPlease respond to the following:\n\nName:                                         Organization:\n\nE-mail address:                               Phone number:\n\n1. Are you aware of NASA\xe2\x80\x99s or your Center\xe2\x80\x99s official policy on the retention of official\n   e-mail? (circle one)          Yes             No\n     1. a. If no, explain why not.\n     1. b. If yes, identify the policy.\n     1. c. If yes, identify the process for identifying and storing/retaining official\n           e-mail.\n\n2. In your opinion, what constitutes an official e-mail?\n\n3. Have you had any training related to what constitutes an official e-mail and what your\n   responsibilities are regarding official e-mail? (circle one) Yes          No\n     3. a. If yes, from whom?\n     3. b. If yes, when did the training occur?\n     3. c. If yes, what training was provided?\n     3. d. If yes, identify your responsibilities regarding official e-mail.\n\n4. Do you retain all official e-mail? (circle one)        Yes              No\n    4. a. If no, explain why not.\n    4. b. If yes, explain your process for identifying, retaining/storing, and\n          retrieving your official e-mail.\n\n\n\n\n                                                                                 Enclosure 3\n                                                                                 Page 1 of 1\n\x0c                    Center Records Manager Questionnaire\nThe NASA Office of Inspector General (OIG) is performing an audit of the retention of\nNASA\xe2\x80\x99s official electronic mail (e-mail) by NASA employees. As part of this audit, we\nare sending you this questionnaire to inquire about your role in the retention of official\ne-mail at your Center. At a later date we will schedule a meeting with you to validate\nyour responses to the questionnaire. Any questions or concerns you have regarding the\nquestionnaire should be directed to NASA OIG Project Manager, Mr. Mario Carbone at\nmario.m.carbone@nasa.gov, or 281-483-9572, or Project Lead, Mr. Bret Skalsky at\nbret.skalsky@nasa.gov, or 281-244-1156.\n\nPlease respond to the following:\n\nName:                                 Organization:\n\nE-mail address:                       Phone number:\n\n1. Please describe the Center\xe2\x80\x99s policy regarding the storage/retention of official e-mail.\n\n2. Is the Center\xe2\x80\x99s e-mail storage/retention policy identical to that of the Agency\xe2\x80\x99s?\n   (circle one)         Yes             No\n     2. a. If no, explain the differences between the policies and the reason for the\n           difference.\n\n3. What role do you, as the Center Records Manager, play with respect to the Center\xe2\x80\x99s\n   policy for storing/retaining official e-mail?\n\n4. How do you ensure that employees are complying with the e-mail retention policy?\n\n5. Does the Center have written procedures and guidance for employees for identifying\n   official e-mail? (circle one)         Yes             No\n     5. a. If yes, identify the procedure(s) and provide a copy.\n     5. b. If no, explain why not.\n\n6. Does the Center have written procedures and guidance for employees for\n   storing/retaining official e-mail? (circle one)        Yes        No\n     6. a. If yes, identify the procedure(s) and provide a copy.\n     6. b. If no, explain why not.\n\n7. What constitutes an official e-mail and, hence, requiring storage/retention?\n\n8. What constitutes an appropriate recordkeeping system suitable for retaining official\n   e-mail?\n\n\n\n\n                                                                               Enclosure 4\n                                                                               Page 1 of 2\n\x0c9. Can the recordkeeping system be either electronic (e.g., stored on a computer server)\n   or manual (e.g., stored as hardcopies in a file cabinet)? (circle one)    Yes    No\n     9. a. If no, explain why not.\n     9. b. If yes, please identify the name of the server(s) and the name, phone number\n           of who to contact regarding the server.\n\n10. Does the Center require that all employees\xe2\x80\x99 official e-mail be electronically backed\n    up? (circle one)         Yes           No\n      10. a. If yes, how is the backup performed?\n\n11. What training did you, as the Center Records Manager, receive relative to policy and\n    procedures on e-mail retention? (Please specify the training course(s) attended.)\n\n12. What training is available to Center employees pertaining to e-mail retention? Please\n    be specific as to the course title, training provider, frequency of course offerings, etc.\n\n13. Does NASA have a policy for the transfer of official records to NARA?\n    (circle one)        Yes             No\n      13. a. If no, explain why not.\n      13. b. If yes, identify the policy and provide a copy.\n\n\n\n\n                                                                                  Enclosure 4\n                                                                                  Page 2 of 2\n\x0cManagement\xe2\x80\x99s Comments\n\n\n\n\n                        Enclosure 5\n                        Page 1 of 3\n\x0cEnclosure 5\nPage 2 of 3\n\x0cEnclosure 5\nPage 3 of 3\n\x0c'